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(54) Message authentication system and method 

(57) A message authentication system for generat- 
ing a message authentication code (MAC) uses a single 
iteration of a keyed compression function when a mes- 
sage fits within an input block of the compression func- 
tion, thereby improving effkslency. For messages that 
are larger than a block, the MAC system uses nested 
hash functions. The MAC system and method can use 
portions of the message as Inputs to the nested hash 
functions. For example, the message authentication 



system can split the message into a first portion and a 
second portion. A hash function Is performed using the 
first portion of the message as an input to achieve an 
intermediate result, and a keyed hash function is per- 
formed using a second portion of the message and the 
intermediate result as inputs. Thus, less of the message 
needs to be processed by the inner hash function, there- 
by improving efficiency, especially for smaller messag- 
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Description 

Background Of The Invention 
6 1 . Field of The Invention 

[0001] The present invention relates to communications and, more specificaliy, to the authentication of messages. 
2. Description of Related Art 

10 

[0002] FIG. 1 depicts a schematic diagram of first and second wireless communications systems which provide 
wireless communications service to wireless units (e.g.» wireless units 12a-c) that are situated within the geographic 
regions 14 and 16, respectively. A Mobile Switching Center (e.g. MSCs 20 and 24) is responsible for, among other 
things, establishing and maintaining calls between the wireless units, calls between a wireless unit and a wireline unit 
(e.g., wireline unit 25), and/or connections between a wireless unit and a paclcet data networic (PDN), such as the 
intemet. As such, the MSG interconnects the wireless units within its geographic region with a public switched telephone 
networl< (PSTN) 28 and/or a packet data networlc (PDN) 29. The geographic area serviced by the MSG is divided Into 
spatially distinct areas called "cells." As depicted in FIG. 1. each cell is schematically represented by one hiexagon in 
a honeycomb pattem; in practice, however, each cell has an irregular shape that depends on the topography of the 

20 terrain surrounding the cell. 

[0003] Typically, each cell contains a t>ase station (e.g. base stations 22a-e and 26a-e). which comprises the radios 
and antennas that the base station uses to communicate with the wireless units in that cell. The base stations also 
comprise the transmission equipment that the base station uses to communicate with the MSG In the geographic area. 
For example. MSG 20 Is connected to the base stations 22a'-e in the geographic area 14, and an MSG 24 is connected 

25 to the base stations 26a'e in the geographic region 16. Within a geographic region, the MSG switches calls t>etween 
base stations In real time as the wireless unit nnoves t>etween cells, referred to as call handoff. Depending on the 
embodiment, a base station controller (BSG) can be a separate base station controller (BSG) (not shown) connected 
to several base stations or located at each base station which administers the radio resources for the base stations 
and relays Information to the MSG. 

30 [0004] The MSGs 20 and 24 use a signaling network 32, such as a signaling network confomning to the standard 
identified as TIA/EIA-41-D entitled "Gellular Radiotelecommunications Intersystem Operations," Decemt?er 1997 ("IS- 
41"), which enables the exchange of information about ttie wireless units which are roaming within the respective 
geographic areas 14 and 16. For example, a wireless unit 12a Is roaming when the wireless unit 12a leaves the geo- 
graphic area 14 of the MSG 20 to which it was originally assigned (e.g. home MSG). To ensure that a roaming wireless 

35 unit can receive a call, ihe roaming wireless unit 12a registers with the MSG 24 in which It presentiy resides (e.g., the 
visitor MSG) by notifying the visitor MSG 24 of its presence. Once a roaming wireless unit 12a is identified by a visitor 
MSG 24, the visitor MSG 24 sends a registration request to the home MSG 20 over the signaling network 32, and the 
home MSG 20 updates a database 34, referred to as the home location register (HLR), with the Identification of the 
visitor MSG 24, thereby providing the location of the roaming wireless unit 12a to the home MSG 20. After a roaming 

40 wireless unit is authenticated, the home MSG 20 provides to the visitor MSG 24 a customer profile. Upon receiving the 
customer profile, the visitor MSG 24 updates a database 36, referred to as the visitor location register (VLR), to provide 
tiie same features as the home MSG 20. The HLR, VLR and/or the authentication center (AG) can be co-located at 
the MSG or remotely accessed. 

[0005] In the Universal Mobile Telecommunications System (UMTS) and 3G IS>41, when a wireless unit places or 
45 receives a call, it is authentrcated before It can proceed with the call. After being authenticated a 128 bit integrity key 
(IK), which was generated using a secret key, is activated and can be used in checking the Integrity of a message sent 
between the wireless unit and the system or message authentication. 

[0006] The design of good Message Authentication scliemes is one of the important areas of cryptography. The goal 
In message authentication schemes is for one party to efficlentiy transmit a message to another party In such a way 

50 that the receiving party can determine whether or not the message he receives has been tampered with. FIG. 2 shows 
how message authentication Is performed with a wireless unit in a wireless communications system. The setting in- 
volves two parties, the wireless unit and the wireless communications system, who have agreed on a secret key k. 
There are two algorithms used: a signing algorithm S^ and a verification algorithm V,^. If the wireless unit wants to send 
a message M to the wireless communications system, then she first computes a tag or message authentication code 

55 (MAG). \i = Sn(M), using MAG generator 60. The unit sends the message and the tag pair (M,^) to the wireless com- 
munications system, and upon receiving the pair (M.ji), the wireless communications system computes V,((M, \i) which 
returns 1 If the MAC is valid, or retums 0 otherwise. It is shown in FIG. 2 that the wireless communications system 
Inputs the message and the k into the MAG generator 52 which produces a tag*, and a comparison 54 is made between 
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. the tag received from the wireless unit and the tag' generated at the system. If they are the same, the message is 
accepted as valid; otherwise, the message is rejected. Without Icnowledge of the secret key k. it Is next to impossible 
for an adversary to construct a message and corresponding MAC that the verificata'on algorithm will be accept as valid. 
[0007] • The same message authentication scheme Is performed in the transmission of messages from the wireless 

s communications scheme to the wireless unit. For example, FIG. 3 shows how the wireless communications system 
sends a protected message to a wireless unit by generating a tag with a MAC generator 56 using the message and a 
secret key k as inputs. The wireless communications system sends a message along with the tag to a wireless unit 
which Inputs the message and the secret key k into a MAC generator 58 to generate a tag'. The wireless unit makes 
a comparison 60 between tag* and the tag received from the wireless communications system, if the tags match, the 

10 message is accepted as valid. If not, the message is rejected as being altered or Invalid. 

[0008] The security requirement for a Message Authentication Code can be explained as follows. An adversary 
forces a MAC if, when given the ability to query the MAC S^, V^, on chosen messages, where k is kept secret, the 
adversary can come up with a valid pair (M*. m-*) such that V,5(M*, = 1 but the message M* was never made an 
input to Sx. 

15 [0009] One common approach to message authentication commonly seen in practice involves the use of crypto* 
graphic hash functions. A hash function can t>e typically characterized as a function which maps inputs of one length 
to outputs of a shorter length. Moreover, It Is difficult to find two inputs which will map to the same output. These MAC 
schemes based on cryptographic hash functions are good because they use fast and secure cryptographic building 
blocks. Typically, cryptographic Hash functions, F(x), are public, keyless, and collision-resistant functions which map 

20 inputs, x, of arbitrary lengths into short outputs. Collision-resistance implies that it should be computationally infeasible 
to find two messages Xi and X2 such that F(x.|) - F(x2). MD5, SHA-1, and RIPE-MD are widely used cryptographic 
hash functions. Along with collision-resistance, the hash functions are usually designed to have other properties both 
in order to use the function for other purposes and to increase the likelihood of collision-resistance. 
[001 0] Most cryptographic hash functions like MD5 and SHA-1 use an iterated constiuction where the input message 

26 Is processed block by block. As shown in FIG. 4, the basic building block is called the compression function, f, which 
is a hash function that takes two inputs of size t and b and maps into a shorter output of length t. In MD 5, the t size 
input is 128 bits bng and the b size input is 512 bits long. In SHA-1, the t size Input is 160 bits long and the b size input 
is 512 bits long. The t sized input is called the chaining variable and the b sized input or payload or block is used to 
actually process the message x, b t>its at a time. As shown In FIG. 5, the hash function F(x) then is formed by iterating 

30 the compression function f over the message m using h| as the chaining variable and X| as the payload according to 
the following steps: 

1 . Use an appropriate procedure to append the message length and pad to make the input a multiple of the block 
size b. The Input can be broken into block size pieces x =x^,,„^, 
35 2. ho = IV, a fixed constant. 

3. For i = 1 to n 

4. h|=f(h|-1,x,) 

5. Output hn as F(x). 

^ For example, in using a SHA-1 hash function, each call to the SHA-1 hash function has a 160 bit initial vector (IV) and 
takes a 512 bit input or payload which is mapped into a 160 bit output. The IV is set to the iV defined in the standard 
for SHA-1 hash function, refen-ed to as National Institute of Standards and Technology, NIST FIPS PUB 180, "Secure 
Hash Standard," U.S. Department of Commerce. May 1993. 

[001 1] Cryptographic hash functions by design are keyless. However, since message authentication requires the 
45 use of a secret key, we need a method to key the hash function. One way to key the hash function is to use the secret 
key instead of the fixed and known IV. As shown in FIG. 6, the key k replaces the chaining variable in the compression 
function f (chainingvariable.xl ) to form f^CxI ) = f(k,x1 ) where x1 is of block size b. The iterated hash function F(IV,x) is 
modified by replacing the fixed IV with the secret key k to form F^(x) = F(k,x). Collision resistance for a keyed function 
is different than for keyless functions because the adversary cannot evaluate F|((x) at any point without querying the 
50 user. This requirement is weaker than the standard collision requirement and hence we will call the function F|((x) to 
be weakly collision-resistant. 

[0012] To improve the security of the keyed cryptographic hash function, a nested MAC function (NMAC) was de- 
veloped which is defined as: 

NMAC^(x) = F^,(F^(x)). 

where the cryptographic hash function F is first keyed with tiie secret key k2 instead of IV and the message x is iteratively 
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hashed to the output of F,^(x). This output F,^2W then padded to a block size according to the padding scheme of 
F and then the result of f^^ (x) is keyed with secret key and hashed with an outer hash function F as shown in FIG. 
7. Thus, the NMAC key k has two parts k = (k^, kj). The following theorem about relating the security of NMAC to the 
security of the underlying cryptographic has function is proved in M. Bellare, R. Canetti, and H. Krawczyk, Keying Hash 
« Functions for Message Authentication, In Proc. CRYPTO 96, Lecture Notes in Computer Science, Springer- Verlag. 
1996. 

[001 3] Theorem 1 : 1 n t steps and q queries If the keyed compression function f is an Gf secure MAC and the keyed 

iterated hash F is e p weakly collision-resistant, then the NMAC function is a (G^ + Gp) secure MAC. 

[0014] The NMAC construction makes at least two calls to the compression function; the Inner call to ^y^W has the 

10 same cost as the keyless hash function F(x). Thus, the outer call to F^^ is an extra call beyond that required by the 
keyless hash function. The outer function call is basically a call to the keyed compression function f,^^ since the 1 size 
output of Fk2(x) can fit in the b size input to the compression function. For large x consisting of many blocks, the cost 
of the extra outer compression call is not significant. However, for small sized messages x, the extra outer compression 
function can in terms of percentage result In a significantly high inefficiency when compared to the unkeyed hash 

IS function. Table 1 shows the inefficiency for small x for the SHA-1 hash function. The number of compression calls 
needed by the underiying hash function and by NMAC are compared for various small x, increasing in 30 byte Incre- 
ments. The Inefficiency of NMAC with respect to ttie underiying hash function is also noted in the table. 



Table 1: 



Comparison In number of compression calls for short messages of various sizes 


X in 240 bit 
increments 


#off inF(x) 


# of fin NMAC 


% inefficiency 










240 


1 


2 


100% 


480 


2 


3 


60% 


720 


2 


3 


50% 


960 


3 


4 


33% 


1200 


3 


4 


33% 


1440 


3 


4 


33% 


1680 


4 


5 


25% 


1920 


4 


5 


25% 


2160 


5 


6 


20% 


2400 


5 


6 


20% 



40 

[0015] As can be seen, the penalty for small messages can be large. In particular, for messages which fit within a 
block, the penalty is 100% because two compression function calls are required in NMAC versus one compression 
call by the underiying cryptographic hash function. 

[001 6] HMAC is a practical variant of NMAC for those Implementations which do not have access to the compression 
45 function f but can only call the cryptographic hash function F with the message. For those implementations, the key 
cannot be placed in the chaining variable, and the function F is called with the fixed and known IV used in the initial 
compression function. The HMAC function Is defined as: 

HMAC,,(x) = F( k e opad, F( k e ipad. x)) 

where a key k Is used and k is the padding of k with zeroes to complete the b block size of the iterated hash function. 
The value k is bitwise exclusive ORed with opad, and the result is concatenated to the message x. The hash function 
F is called with the entire concatenated message. As shown in FIG. 8, afterthe first iteration of the compression function 
ss f, the key k2 Is produced as k2 = f ( k e ipad). After the hashed function F Is complete, the resulting value F( k © ipad. 
X) is produced. The hash function F is called again with a message comprising the value of k © opad, a bitwise 
exclusive-or operation with k and opad. After the first iteration within the second call of the hash function F, the key k1 
Is obtained from the compression function f(IV, k e opad). The values Ipad and opad are fixed constants as described 
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in M. Bellare, R. CanettI, and H. Krawczyk, Keying Hash Functions for Message Authentication, In Proc. CRYPTO 96, 
Lecture Notes in Computer Science, Springer-Veriag, 1996. The second iteration within the second call to the hash 
function uses the compression function f(i<1 , F( k e ipad, X)) to produce the HMAC function F( k ® opad, F( k e ipad. x)). 
[0017] By defining k^ f( k e opad) and ks - f( k ® ipad), HMAC,((x) becomes NMAC^j^^ jc2)(x)* HMAC is the internet 

s standard for message authentication. As shown, HMACs proof of security is related to NMAC and assumes the un- 
derlying cryptographic hash is (weakly) collision resistant and that the underlying compression function Is a secure 
MAC when both are appropriately keyed. HMAC is efficient for long messages, however, for short messages the nested 
construction results in a significant inefficiency. For exannple, to MAC a message shorter than a block where access 
is not provided to the compression function, HMAC requires four calls to the compression function. Where access is 

10 permitted to the compression function, k1 and k2 can be precomputed and inserted into the chaining variable of the 
compression function, thereby requiring two calls to the compression function. This inefficiency may be particulariy 
high for some applications, like message authentication of signaling messages, where the individual messages may 
ail fit within one or two blocks. Also for TCP/IP traffic it is well known that a large number of packets (e.g. acknowledg- 
ment) have sizes around 40 bytes which fit within a block of most cryptographic hashes. We propose an enhancement 

IS that allows both short and long messages to be message authenticated more efficiently than HMAC while also providing 
proofs of security. 

SUMMARY OF THE itWENTION 

20 [0018] In accordance with an aspect of the present invention, a message authentication system for generating a 
message authentication code (MAC) uses a single iteration of a keyed compression function when a message fits 
within an input block of the compression function, thereby improving efficiency. For messages that are larger than a 
block, the MAC system uses nested hash functions. In accordance with another aspect of the present invention, the 
MAC system and method uses portions of the message as inputs to the nested hash functions. For example, the 

25 message authentication system can split the message into a first portion and a second portion. A hash function is 
performed using the first portion of the message as an input to achieve an intermediate result, and a keyed hash 
function is performed using a second portion of the message and the intermediate result as inputs. Thus, less of the 
message needs to be processed by the inner hash function, thereby improving efficiency, especially for smaller mes-- 
sages. 

30 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0019] Other aspects and advantages of the present invention may l:)ecome apparent upon reading the following 
detailed description and upon reference to the drawings in which: 

35 

FIG. 1 shows a general diagram of wireless communications systems for which the MAC generation system ac- 
cording to the principles of the present invention can be used; 

FIG. 2 is a general diagram illustrating how a IV1AC is used to authenticate messages sent from a wireless unit to 
a wireless communications system; 
"fo FIG. 3 is a general diagram illustrating how a MAC is used to authenticate messages sent from a wireless com- 

munications system to a wireless unit; 
FIG. 4 is a block diagram of a compression function f; 

FIG. 5 is a block diagram illustrating the iterated construction of a hash function F given a compression function f; 
FIG. 6 is a block diagram illustrating a keyed hash function; 
<5 FIG. 7 is a block diagram illustrating a nested hash function (NMAC); 

FIG. 8 is a block diagram illustrating a variant of an NMAC function known as HMAC; 

FIG. 9 is a block diagram of a single block case in the message authenticatk>n system according to principles of 
the present invention; 

FIG. 10 shows a block diagram of a multiple block case in the message authentication system according to prin- 
50 ciples of the present invention; 

FIGs. 11a and lib show block diagrams of an ENMAC embodiment of the message authentication system ac- 
cording to principles of the present invention; 

FIG. 12 shows a flow diagram of an ENMAC emtx>diment of the message authentication system according to 
principles of the present Invention; 
55 FIGs. 13a and 13b show block diagrams of an EHMAC embodiment of the message authentication system ac- 

cording to principles of the present invention; 

FIGs. 14a and 14b show block diagrams of an SMAC embodiment of the message authentication system according 
to principles of the present: and 
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FIG. 15 shows a flow diagram for an SMAC embodiment of the message authentication system according to 
principles of the present Invention. 

DETAILED DESCRIPTION 

[0020] Illustrative embodiments of a MAC construction system and method according to the principles of the present 
Invention is described below for processing messages of arbitrary length which provides improved efficiency. In the 
following description, the term hash function encompasses a compression function f and an iterated hash function F, 
A hash function can be keyless or keyed, whereby F,^ denotes a keyed Iterated hash function and f,^ denotes a keyed 
compression function. Recall that f^(x) Is the keyed compression function whose Input block size Is b bits and the output 
size is t bits, and the size of the chaining variable and hence the key size Is also t bits. In accordance with one aspect 
of the present invention, depending on the size of the message, the MAC generator uses different hash function ar- 
rangements to generate the MAC. For example, the MAC generator could make a single Iteration of a keyed compres- 
sion function as the hash function if the message x (and any additional required bits) fits In an input block of the 
compression function f. For messages not fitting within the Input block, the MAC generator uses nested hash functions. 
As shown In FIG.9, a message x is Input Into the compression function f with any required padding, message length 
fields, block Indicator fields or other fields appended to the message x. If the message x (and any additional required 
bits) fits within the input block for the compression function, a single iteration of the keyed compression function f 90 
is performed using the message x and a key k to produce a MAC %(x) for the message x. 

[0021] Othenwise, as shown In FIG. 10. if the message x (and any additional required bits) does not fit within an Input 
block of the compression function f, the message block x is divided into portions, such as portion 1 and portion 2. 
Portions of the message block can be overlapping or non-overlapping sets of the bits making up the message x. In 
accordance with another aspect of the present Invention, a first portion is used in the inner hash function F. and a 
second portion is used in the outer hash function, which Is shown as a compression function f^^. For example, portion2 
is provided to the inner hash function F where calls to or iterations of the compression function 100a to 100n (If needed) 
are made with blocks portion2i to portion2n of portlon2. Including any appended padding or fields, where n>=1. The 
Initial iteration or call 100a to the compression function f uses a chaining variable CV2 which could be a key or a key 
derived from a key or the standard initial value for the hash function F depending on the embodiment. The result of 
the inner hash function Fcv2(porlion2) Is provided to the outer hash or compression function f (102) along with portion 
1 of the entire message x and a chaining variable CV1. The chaining variable CV 1 could be a key or a key derived 
from a key or the standard initial value IV for the hash function F depending on the embodiment. The resulting value 
fcv1(portion1, Fcv2(portion2)) portioni) can be used to produce the MAC used in message authentication. 
[0022] The generic description described atKJve can be used to provide improved performance over prior art MAC 
generation techniques. For example, to enable Improved efficiency over NMAC for short messages and also somewhat 
greater efficiency for larger messages, the following MAC construction is provided. Recall that f,^(x) Is the compression 
function whose Input block size is b bits and the output size is t bits, and the size of the chaining variable and hence 
the key size Is also t bits. As shown in FIGs. 11a and lib, a particular embodiment of the construction for a MAC 
according to the principles of the present invention is as follows: 

ENMACic(x) = fu(x, padj) if I x | <= b - 2 bits 

= fki(Xpref» Fk2 (Xsuff)»0) else, 

where, in the first case, the first b-2 bits in the block are used to hold the message x. If the message x does not fill the 
first b-2 bits, then padding is required and the remaining block, except the last bit is filled with a mandatory 1 followed 
by O's (possibly none). In the case that the message is b-2 bits long, the b-lth bit is set to 1 . In this embodiment, the 
last bit of the block indicates whether a single compression call Is used for ENMAC. The last bit of the block is set to 
1 in the single compression call case and is set to 0 when multiple calls or iterations of the compression function f are 
required. In the second case where things will not fit In one block, the string x is broken into two portions or segments 
Xp^and Xguff. where 

and 
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Xsuff = X,.^...X |X|. 

^irst, Xguff is hashed using a key value k2 to produce the t bit result of F|(2(x6uff)* Then, an outer compression call is 
5 performed using a key value k1 where the first b-t-1 bits are set to Xp^^f and the next t bits are set to the result ^i^2i^s\jfd* 
and the last bit Is set to zero. 

[0023] The ENMAC construction described above can use a SHA-1 hash function as the underlying cryptographic 
hash function as described below with particular reference to FIG. 12. As shown in block 110, the processing circuitry 
implementing the ENMAC construction determines if the length of x, |x|, is less than or equal to 510 t>its. If so, the 

10 processing circuitry proceeds to step 112 to form the 512 bit payload of f^^O by loading x Into the first 610 bits. Then, 
a is appended to x at block 114, and as many 0*s as needed (possibly none) are used to fill the 511 bits at block 
116. If |x| is less than 510 bits, then zeroes will be padded beyond the 1 or else If |x| is 510 bits, then no zeroes are 
padded and only a single 1 is appended at the 511"^ bit position at the block 114. At block 118, the last 612^ bit (block 
indicator bit) is set to one to indicate that the message fits in a single block. At block 120, the keyed compression 

15 function fi^^Cx, pad, 1) Is performed using the key k1 as the 160 bit chaining variable and the message x, the padding 
bit(s) and the block indicator bit as the 512 bit payload or input block. Subsequently the result f)(i(x, pad. 1) is output 
and used to provide the MAC at block 122. 

[0024] if. at block 110, the message x is greater than 51 0 bits, the processing circuitry proceeds to block 1 24 where 
the message is split into two portions x^^^f and Xguff where Xp^^f = x^ ... X351 and x^^jff = X352..-Xjx|. Then, at block 126, 

20 the processing circuitry performs the keyed hash function Fi<2 using the key k2 and the message portion Xguff with any 
additional padding bit(s) and/or bit field(s) as the payload to achieve the 160 bit result of ^lai^un)' block 128, the 
first 351 bits of the payload of the outer compression function f^i Is settobeXpref, and at block 130. the next 160 bits 
of the payload is set to be the result of F,^2(^uff) calculated in block 126. The last 51 2^^^ bit of the payload is set to 0 at 
block 132. Finally, at block 134, the outer keyed compression function f^^ is applied to the 612 bit payload formed at 

25 blocks 128 to 132 and the result fki(Xpref. f\a (^uff)'0) is output at block 1 36 for producing a MAC. 

[0025] Table 2 below compares the numt>er of compression calls required by the underlying hash function. SHA-1, 
and by ENMAC for short messages varying In sizes of 30 byte Increments. A significant difference exists between table 
2 and the previous table 1 which compared plain NMAC. For many of the short sizes, NMAC has the same efficiency 
as the underlying hash function. For larger messages the efficiency of NMAC. ENMAC and the underlying hash function 

30 will not be significantly different from each other. For messages of size 480 bits, the entry In Table 2 surprisingly indicates 
that the ENMAC is more efficient than the underlying hash function. This anomaly occurs because the underlying SHA- 
1 function reserves 64 bits for the size Information while ENMAC reserves only 2 bits for messages less than 510 bits. 
Thus, the savings resulting from using ENMAC are significant for messages that fit In one or few blocks. 

35 Table 2: 



Comparison in number of compression calls for short messages of various sizes. 


X In 240 bit 
increments 


#offinF(x) 


# of fin ENMAC 


% inefficiency 










240 


1 


1 


0% 


480 


2 


1 


-50% 


720 


2 


2 


0% 


960 


3 


3 


0% 


1200 


3 


3 


33% 


1440 


3 


4 


33% 


1680 


4 


4 


0% 


1920 


4 


5 


25% 


2160 


5 


5 


0% 


2400 


5 


6 


20% 



[0026] If a different key k3 were used to MAC messages which fit in one block and use key k = (k^ . k2) to MAC larger 
messages using NMAC then we could argue the system would be secure. Essentially, this is what is being done, but 
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instead of using a different key to create a different MAC, the trailing bit is being set to 1 If the message fits in one 
block and its set to 0 for the other case. Secondly, whereas NMAC pads the payload of the outer compression call with 
zeros, ENMAC fits part of the message in the outer call. 

[0027] ENMAC security results are similar to NMAC and which will be stated and proved below for pedagogical 
purposes. 

Theorem 2. In t steps and q queries If the keyed compression function f is an secure MAC. and the keyed iterated 
hash F is e^r weakly collision-resistant then the ENMAC function is (eft- Zp) secure MAC. 

Proof: Suppose an adversary A^ is successful against ENMAC with probabil ity assuming t time steps and q adaptively 
chosen queries to the ENMAC function. This adversary is used to build another adversary Af which will forge a MAC 
associated with the keyed compression function on a previously unqueried message. This probability of breaking the 
MAC is bound in terms of Eg and £p, the best probability of an adversary finding a collision in the hash function F in 
time t and q queries. The probability of breaking the MAC in this particular way, using Ag, has to be less than the best 
probability of breaking the MAC in any way, Ef. This can be used to get a bound on e^. The algorithm Af used to forge 
the keyed compression MAC is set out below. 
Choose random k2 



Fori...q 

IfXi<b-2 

AE«-fki(Xi. pad, 1) 

else 

Ae ^ fkl(l,Xi.pref,Fk2(Xi,suff)»0) 

Ae (x,y) 
If X < b - 2 

output (x, pacl»l),y 
else 

output (Xpref, Fic2(Xsuff).0).y 

[0028] Let B£ = ^^* where e^i is the probability that ENMAC is attacked and the ENMAC message forged by 
A£ is about one block size, or to be precise less than b - 2 bits. And let E^ be the event and e^^^ be the probability that 
ENMAC is attacked and the ENMAC message forged by A^ is larger than one block size. Furthermore, = eg^ p^ef^ 
+ eE+pref« where Ss+preu is the probability that the ENMAC Is forged with a multi block message and the prefix of the 
message does not equal the prefix of any of the messages previously queried by A^. And Es+prei^ the probability that 
the ENMAC is forged with a multi block message and the prefix of the message is equal to the prefix of some previously 
queried messages by A^. In this case, the suffix of the forged message has to be different than the suffix of the messages 
with the same prefix. 



8 



EP1257 084 A1 

P[forging MAC of f] = P[MAC of f forged via Ei 4- P[MAC of f forged via E+] ( 1 ) 

= eEi+ P[MAC of f forged via E^.] 

= eci+ P[MAC of f forged via E+.pref^] 

+ P[MAC of f forged via E+,pref=] (2) 

= Cei + eE+,pref* + P[MAC of f forged via E 

=eEi + £E+,prefc + P[EH,pref= o no suffix colllsion in set with 
same prefixes] (3) 

=££1 + eE+,prcf* + 1 - P[ E+.prcf= ^ suffix collisioTi in set with 
same prefixes] (4) 

== Eei + ee^prcf^ + 1 - P[E^-.pref=:] - P[collision in set] + P[ E^..pref= 
n coUision in set] 

^ Sei + eE+.pn?ftft + 1 - P[ E+.prcf, - P[collision in set] (5) 
^ Eei + €E+.prefo + 1 - 1 + eE+pref« " P[colUsion in q queries] (6) 

^ Eei + eE+.prcfjft + 1 - 1 + £E4-.prcf= - 

^ Eei + eE+ - ep 

>eE-eF (7) 
ef > P[forging MAC of f via forging ENMAC] > Ee - Ef (8) 
ef > Ee - ep 

therefore ce ^ Cf + £f (9) 

[0029] Equation 1 breaks the probability of forging a new MAC off in to the probability of forging a new MAC of f via 
forging a ENMAC MAC, either single block or multiple blocks. The probability of breaking f via breaking a multiple block 
ENMAC is broken in equation 2 Into the case of no prefix being equal to any other prefix on all queried messages and 
me case of some prefix being the same among the queried messages. In equation 3, the probability that the MAC of 
f is forged via p^y« Is equated to the case of the probability of E+ p^^^ happening and no collisions in the hash of the 
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suffix occunring among the messages with the same prefixes. Equation 4 Is rewriting of equation 3 using Demorgan's 
Law. In equation 6, the probability of collision among the set with the same prefix is replaced by the probability of 
collision with all q queries. Equation 9 is our desired result that the probability of forging ENMAC, is less than Cf. the 
probability of forging the MAC plus Ep. the probability of finding a collision. 
5 [0030] Since, in practice, data is often processed in bytes, it may be appropriate to perform the single block case 
when the length of the message x is less than b-8 bits rather than the b-2 bits specified above. In the case of multiple 
block EN MAC, forming Xg^ff, beginning at a non-word boundary may cause a re-aligning of all the words in x^. This 
can be avoided by using a different variant of ENMAC as follows using bytes sizes rather than bits for practical purposes. 

10 

ENMACk(x) := fici(x, pad,l) if I x I <= 504 bits 

= fki(Fk2(Xprcf), Xsuff, 0) else, 

15 

Where for SHA-1 as the undertying cryptographic hash function f, 

Xpref^ ^1 —^^-344' 

20 

and 

^uff -X|J.343— ^|x|- 

25 

For messages of length up to 63 bytes (504 bits) and in addition to any additional padding of a 1 followed by O's to pad 
the message to 504 bits, the last byte is reserved for the block indicator or "X0000001** where a one indicates a single 
block message and the X can be a "1" following a 504 bit unpadded message. For unpadded messages less than 504 
bits, the X IS a "0", For messages greater than 504 bits, the message is divided Into portions Xp^^ and Xs^ff. Where the 
30 length of Xg^^ is 43 bytes (344 bits) and the length of Xp^gf = length of message - 344 bits. 

[0031] In addition to the embodiment(s) described above, the message authentication system according to the prin- 
ciples of the present Invention can omit and/or add input parameters and/or compression and/or hash functions or 
other operations, key values and/or use variations or portions of the described system. For example, FIGs. 13a and 
13b shows an embodiment of the message authentication system used as an enhanced HMAC system as follows. 

35 

EHMACk(x) = F(k ® opad, x,l) if | x | <= b - a -1 - other fields 

= F(k ® opad, Xprcf. F(k ® ipad, Xsuff),0) else. 

40 

In the first case of FIG. 13a, the message x fits in the single block. This means that the message x has to be smaller 
than b-1- other fields, where other fields may include some bits due to padding and/or length appending schemes of 
the hash function F. Assuming x is small enough, then a larger input Is formed whose first part is k 0 opad, followed 
by X, which in turn is followed by a bit set to 1 . This larger message is inputted to the underiying hash function F. Looking 

45 inside F, we see that first a key k1 is created by calling the compression function f(k S opad), where k may have to be 
padded to the appropriate length. The result is used as the chaining variable for the next call to the compression function 
whose payload is (x,1) padded and/or length appended according to the specifications of the hash function F. 
[0032] In FIG. 13b, where the message x along with additional required fields will not fit in one block, the string x is 
broken into two portions or segments Xp^f and Xguff, 

50 where 

^pref ~ ^1 — ^b-t-l-other- 

55 and 

Xsuff = ^stofx 
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First, in an inner hash function 130, a bitwise exclusive-or is performed between key k and ipad to produce k2 which 
is used as the chaining variable along with the input block x^^. The compression function f Is called until block Xgu^p 
Is input into the last compression function with any padding, appended length fields or other fields to produce the result 
of the hash function for F(k ® Ipad. x^y^) where k may have to be padded to the appropriate length. At an outer hash 
function 132, the key k1 is determined by calling a compression function 134 with the value IV as the chaining variable 
and k © opad as an Input. The value k1 is used as the chaining variable for a compression function 136 with the input 
set to Xp^ei prepended to F(k ® Ipad, x^uti), and appended with a zero. The result F(k © opad, Xp^f, F(k e ipad, x^uft), 
0) can be used to provide the MAC. 

[0033] FiGs. 14a and 14b show yet another embodiment of the message authentication system used as an SMAG 
system as described below In the context of a specific example implementation in terms of bytes. 



[0034] As with the other emt>odiments, SMAC consists of two cases : the single block ( <= 63 bytes) case of FIG. 
14a and the multiple*block case (> 63 bytes) of FIG. 14b. In both cases a call to a keyed compression function f, such 
as a SHA function, Is made. In the single block case, no other function calls are required. However, In the multi-block 
case, a unkeyed hash function F 140, such as the standard SHA1_HASH, is applied to the beginning part of the 
message x^f^. Then the hash result and the remaining message are fit into an input or payload block and a call to a 
keyed compression function f 142 Is made. More details of the loading of the SHA-1 compression function fare shown 
in Table 3 and 4 below. 

[0035] As shown, the last, 51 2*^, bit of the shal compression function Is used as the "single block indicator bir and 
Is set to 1 In the single-block case and Is set to 0 in the multiple-block case. Since the message Is processed in byte 
multiples In this embodiment, none of the remaining bits In the last byte can be used to process the message. Hence, 
the entire last byte (64*^) of the compression function is reserved. In the multiple-block case, the bits 505-511 are also 
set to zero as shown in Table 4. For the single-block case, bits 506-511 are set to zero; however, the 506^ bit is used 
as an extra pad bit whose function will become clear once the padding scheme used in the single block case is ex- 
plained. 

[0036] Messages that partially fill a block require a padding method. The multiple-block case does not require a 
padding method to fill the compression function since the block is completely filled, as shown in Table 4. However, the 
SHA1_HASH function does use its own padding when hashing Xpr^f. To pad messages In the single-block case, a 1 is 
appended to the message and then as many zeroes, possibly none, are appended until the remaining bits in the block 
are filled, or more precisely, until the 505*^ bit is filled. As an example, in the special case that the single block message 
is 63 bytes or 604 bit long, a 1 is added to the 505^ bit. The remaining bits 506-512 were filled as described previously. 
[0037] In the multiple-block case, the hash function F 140 is applied in blocks Xp^^ to Xp^fh to all but the last 43 
bytes of the message which outputs a 20 byte digest. The last 43 bytes are not processed in the hash function F so 
that they can be processed by the compression function f 142. The reason for 43 bytes is that out of 64 bytes available, 
the first 20 bytes will be used to load the digest and the last byte is specially reserved as shown in Table 4 for the SHA- 
1 hash function and SHA-1 compression function. 



SMAC(x) = fK( X, pad, 1 ) 

= fK( F(Xperix), Xsuffix, 0) 



if |xj <== 63 bytes 
if|x| > 63 bytes 



Vef -bytes Xi -^IxU 



Xsuff kbytes x|J^2-^|)c| 
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byte jZ"" I 
byte j 
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Table 3: Single Block Case -Loading of shal compression function 
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Yi . . . Y20 = SHA-HASH(xi . . .X|xh»3 ) 
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Table 4: Multiple Block Case - Loading of shal compression function 



[0038] FIG. 15 shows a flow diagram for the SMAC construction. Initially, the key is XORed with the IV and loaded 
into the chaining variable of sha1 compression function as shown in block 148. At block 150, processing circuitry makes 
a determination whether [x] > 63 bytes. If not, the processing circuitry proceeds to the single block case where the 

30 message x is loaded into the left side of the 612 bit block of the compression function f at block 152. At block 154. the 
processing circuitry appends '1' into the next bit. At block 156, the rest of the block is filled with zeroes until the last 
512th bit which is set to 1 at block 158. At block 160, the compression function f is called using the chaining variable 
(K XOR IV) and the payload from blocks 152-158. The 20 byte MAC is retumed at block 162. 
[0039] At block 150, if |x| > 63 bytes, the processing circuitry proceeds to the multiple block case. At block 164, the 

35 message x is spilt into two pieces: Xp^ef: bytes x^ .... X|xj^3 and Xgu^: bytes X|x|^2 - • ^xj- At block 166, the 
SHA1_HASHfunction is called with Xp^^f and a 20 byte result is produced. At block 168, the 20 byte result Is loaded 
into the left side of the 64 byte block of the shal compression function, and Xg^ff Is added to bytes 21 to 63. At block 
170, the last 64^ byte is set to 0. Finally, at block 172, the shal compression function is called using chaining variable 
calculated initially (K XOR IV) and the payload from blocks 168 and 170, The 20 byte MAC Is retumed at block 162. 

^ [0040] SMAC is closer to NMAC than HMAC. hence we will compare it to NMAC rather than HMAC. NMAC has an 
inner call to the hash function F and an outer call to the compression function f. SMAC does the same for messages 
larger than 63 bytes, but skips the hash call for smaller messages. For longer messages. SMAC processes some part 
of the message in the outer compression call, thus reducing the text processed by the internal hash function call. NMAC 
does not do this, but instead fills the rest of the outer compression calls payload with zeroes. In NMAC, the inner hash 

<5 function is keyed whereas SMAC does not key the internal call. SMAC's intemal call can be keyed, but for efficiency 
purposes was not done so In this emt)odtment. The security is not fundamentally effected because it is believed infea- 
sible to find a collision even in the keyless SHA1_HASH function. 
[0041] The following is the code which could be used to implement the SMAC. 
Outputs to intemal stored data: 

50 



55 
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MAC 32 bits 

/* smac calls following functions: */ 

shal_conip( unsigned char cv[20], unsigned char temp[64], unsigned char 
adigest[20]) 

{ /* shal_comp is the shal compression function, cv is the 160 bit chaining 
variable, temp is the 512 

bit payload, and the result is output in the 160 bit adigest. *l 

) 

SHA1_HASH( unsigned char *M, int textlen, unsigned char adigest[20]) 
{ /* SHAl_HASHis the hash function. M is the message, textlen is the number 
of bytes in message 

and the result is output in the 160 bit adigest */ 



} 

smac( int keylen, unsigned char *K, int textlen, unsigned char *M, unsigned char 
mac [20]) 
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{ int i j ; 

unsigned char cv[20], temp[64]; 
/* set 20byte chaining variable cv to default IVO as defined in fipslSO*/ 

cv[0]=0x67; cv[l]=0x45; cv[2]=0x23; cv[3]=0x01; cv(4]=0xef; cv[5]=0xcd; 
cv[6]=0xab; cv[7]=0x89; cv[8]=0x98; cv[9]=:0xba; cv[10]=0xdc; cv[U]=Oxfe; 
cv[12]=OxlO; cv[13]=0x32; cv[14]=:0x54; cv(15]=Ox76; cv[16]=:0xc3; 
cv[17]=0xd2; 

cv[18]=0xel; cv[i9]=0xfD; 
/* XOR keys on to chaining variable */ 
for(i=0;i<keylen;i++) 
cv[i] = cv[i] AK[i3; 
/* set temp compression block to be all zeroes */ 

for (i=0; i<64; i++) temp[i]=0; 
if ( textlen <= 63 ) { 
/* load the message to the leftmost side */ 
for(i=0; i<textlen; i++) 
temp[i] = M[i]; 

temp(i] = 0x80; /*append rest of bits are previousl set to 

0*/ 

temp[63]=temp[63] | 0x01; /* set 512th bit to V*/ 
shal_comp(cv, temp,mac); 

} 

else { /* textlen > 63 */ 
/* SHAl.HASH on prefix of M */ 
SHA1^HASH( M, textlen-43, mac); 
for(i=0;i<20;i-H-) 

temp[i]=mac[i]; /* copy digest to the leftmost side.*/ 

for(i=20;i<63;i-M-) 

temp[i]=:M[textlen-43+(i-20)]; /* next copy suffix of M, */ 
temp[63]=0x00; /* set last byte to be zero. */ 

shai_comp(cv, temp, mac); 

} 

} 

[0042] The MAC system has been described as being used with particular hash or compression functions, such as 
SHA-1, but other hash functions or related cryptographic functions can be used as well as different or additional func- 
tions. Additionally, particular bit or byte values for the message, payloads, chaining variables and l<ey values have 
been described, but depending on the embodiments, these numbers can change. Furthermore, the key values can be 
a key, derived from a key or portion (s) thereof. It should be understood that different notations, references and char- 
acterizations of the various values, Inputs and architecture blocks can be used. For example, the tenri compression 
function f is used and hash function F is used where the iterated hash function F is constructed using iterating or 
chained compression functions f. It should be understood that a compression function is also a hash function. 
[0043] In altemative embodiments, the functionality described for the message authentication system can be per- 
fomied with processing circuitry at a home authentication center, home location register (HLR), a home MSG, a visiting 
authentication center, a visitor location register (VLR) and/or in a visiting MSG. Moreover, the message authentication 
system and portions thereof can be performed in a wireless unit, a base station, base station controller, MSG, VLR, 
HLR or other sub-system of a wireless communications system. Depending on the embodiment, the MAG can be sent 
in association with the message, and the MAG is compared and/or verified with a MAG generated at the receiving end. 
Additional functionality can alter or transform the MAG before it is sent in association with the message, and the same 
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functionality can be performed on the MAC generated at the receiving end for comparison and/or verification (message 
authentication). Finally, the MAC could be sent, and additional functionality alters or transforms the received MAC and 
the MAC generated at the receiving end to perform message authentication. An example of additional functionality 
could be using the 32 least significant bits of the MAC for any comparisons or verification functions in performing 
message authentication. As such, the MAC and/or altered or transformed MAC can be referred to as MAC or tag. 
[0044] Additionally, although the message authentication system is described in the context of wireless communi- 
cations system, the message authentication system can be used to verify the integrity of or authenticate a communi- 
cations message sent from a sending point to a receiving point over any networic or communications medium. It should 
be understood that the system and portions thereof and of the described architecture can be implemented in or Inte- 
grated with processing circuitry In the unit or at different locations of the communications system, or in application 
specific integrated circuits, software-driven processing circuitry, programmable logic devices, firmware, hardware or 
other arrangements of discrete components as would be understood by one of ordinary skill in the art with the benefit 
of this disclosure. What has been described is merely illustrative of the application of the principles of the present 
Invention. Those skilled In the art will readily recognize that these and various other modifications, arrangennents and 
methods can be made to the present Invention without strictly following the exemplary applications Illustrated and 
described herein and without departing from the scope of the present invention as claimed. 
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Claims 

1. A method of processing a message for authentication, said method comprising: 



performing a single iteration of a compression function using a key and said message as inputs when said 
message fits within an input block of said compression function; and 

using a hash function nested within a keyed hash function to process said message when said message does 
not fit within an input block of said compression function. 

2. The method of claim 1 wherein said step of using comprises the steps of: 

5^ providing a first portion and a second portion of said message; 

performing a hash function using said first portion as an input to achieve a result; and 
performing a keyed hash function using said second portion and said result as inputs. 

3. The method of claim 2 wherein said hash function Is an Iterated hash function F and said keyed hash function is 
35 a keyed compression function f. 

4. The method of claim 2 wherein said hash function is an Iterated hash function F and said keyed hash fijnction is 
an iterated hash function F. 

40 5. The method of claim 1 further comprising the steps of: 

using a result from said compression function to produce a message authentication code; and 

sending said message authentication code in association with said message for authenticating said message 

using said message authentication code. 



6. The method of claim 1 further comprises: 



using a result from said compression function to produce a message authentication code; and 
comparing said message authentication code to a received message authentication code received with said 
^ message, whereby said message is authentic if said message authentication code and said received authen- 

tication code match. 

7. A method of processing a message for authentication, said method comprising: 

^5 providing a first portion and a second portion of said message; 

performing a hash function using said first portion as an input to achieve a result; and 
p)erforming a keyed hash function using said second portion and said result as inputs. 
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8. The method of claim 7 comprising the step of: 

detemnining whether said message fits within an input block of a compression function; and 

performing said steps of providing, performing and performing when said message does not fit within an Input 

block of said compression function. 

9. A message authentication system comprising: 

processing circuitry configured to perform a single iteration of a compression function using a key and said 
message as Inputs when said message fits within an Input block of said compression function and to use a 
hash function nested within a keyed hash function to process said message when said message does not fit 
within an Input block of said compression function. 

10. A message authentication system comprising: 

processing circuitry configured to provide a first portion and a second portion of said message, perform a hash 
function using said first portion as an input to achieve a result, and perform a keyed hash function using said 
second portion and said result as inputs. ^ 
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FIG, 1 
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FIG. 2 
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FIG, 4 
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FIG, 16 
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